You are here
Home > Preporuke > Ranjivosti programskog paketa ntp

Ranjivosti programskog paketa ntp

  • Detalji os-a: LMV
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LMV

Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2015:003

Package : ntp
Date : January 5, 2015
Affected: Business Server 1.0

Problem Description:

Updated ntp packages fix security vulnerabilities:

If no authentication key is defined in the ntp.conf file, a
cryptographically-weak default key is generated (CVE-2014-9293).

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number
generator with a weak seed to generate symmetric keys (CVE-2014-9294).

A remote unauthenticated attacker may craft special packets that
trigger buffer overflows in the ntpd functions crypto_recv() (when
using autokey authentication), ctl_putdata(), and configure(). The
resulting buffer overflows may be exploited to allow arbitrary
malicious code to be executed with the privilege of the ntpd process

A section of code in ntpd handling a rare error is missing a return
statement, therefore processing did not stop when the error was
encountered. This situation may be exploitable by an attacker

The ntp package has been patched to fix these issues.


Updated Packages:

Mandriva Business Server 1/X86_64:
25fe56fc0649ac9bb83be467969c2380 mbs1/x86_64/ntp-4.2.6p5-8.1.mbs1.x86_64.rpm
9409f5337bc2a2682e09db81e769cd5c mbs1/x86_64/ntp-client-4.2.6p5-8.1.mbs1.x86_64.rpm
df65cc9c536cdd461e1ef95318ab0d3b mbs1/x86_64/ntp-doc-4.2.6p5-8.1.mbs1.x86_64.rpm
53f446bffdf6e87726a9772e946c5e34 mbs1/SRPMS/ntp-4.2.6p5-8.1.mbs1.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver 0x22458A98

You can view other update advisories for Mandriva Linux at:

If you want to report vulnerabilities, please contact


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.12 (GNU/Linux)


To unsubscribe, send a email to
with this subject : unsubscribe security-announce
Want to buy your Pack or Services from Mandriva?
Go to

AutorTomislav Protega
Cert idNCERT-REF-2015-01-0006-ADV
CveCVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
ID izvornikaMDVSA-2015:003
More in Preporuke
Ranjivost programskog paketa strongswan

Otkrivena je ranjivost u charon IKEv2 pozadinskom procesu za strongSwan. Ranjivost je uzrokovana neispravnim upravljanjem IKEv2 korisnim sadržajem koji sadrži...